Remote Code Execution (RCE) via the Theme Editor [Academy]

The web shell has been loaded into an inactive theme and is working with commands like “ls” and “id”. I am having a problem finding the flag.txt in the directory specified in the question: “Once you have access to the target, obtain the contents of the “flag.txt” file in the home directory for the “wp-user” directory.” My question is: 1.) can you Pipe or otherwise “string” commands together with curl? Just cannot seem to locate this flag and don’t know where to start looking. Using something like $home does not seem to help.

Nevermind found it :slight_smile:

For others: all you need is echo and the correct directory :+1: